Boundaries
Overview
Permissions Boundaries are a way to limit the maximum permissions that an IAM user can have. A permissions boundary acts as an upper limit on the policies attached to the entity. Even if a user has broader permissions through IAM policies, they cannot exceed the boundaries set by the permissions boundary.
Permissions boundaries do not grant permissions on their own; they only restrict the permissions granted by other policies.
The effective permissions of a user are the intersection of: • The permissions granted by IAM policies (attached via groups) • The permissions allowed by the permissions boundary (if set)
They are commonly used to enforce least privilege in organizations where IAM users should not escalate their own permissions.
Boundaries by example
Foreword
You can create Permission boundaries to avoid, for instance, granting unknowingly permissions to users.
Using your root account, you have all the permissions on the system. It is thus highly recommended not to use it unless it’s an absolute necessity.
Let’s see together how you can use permission boundaries to restrict user rights.
For this example, we will want to define the following:
- We want to have “Admin” users who are granted all the rights on the system ; yet, they should be unable to create other “admins”
- We want to have “Regular” users, who can be granted an extensive set of permissions ; yet, they should never be able to create policies nor assign policies to a Group, since that’s how a user could escalate permissions.
We’ll do this by:
- Using Astran’s astran-admin built in group
- Creating a permission boundary for regular users
- Creating a permission boundary for administrators
Creating a boundary for regular users
First, connect to Astran with you root account.
Navigate to “Access control” then “Policies”.
Click on "New policy”
In Path, select “/boundary/” - Note that for convenience, you can choose to have a sub-path after /boundary/ Only policies in the /boundary/* path will be selectable later on, when creating a user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"iam:*",
"ck:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AttachGroupPolicy",
"iam:DeleteUserPermissionsBoundary"
],
"Resource": [
"*"
]
}
]
}
You now have a first boundary policy, in our example arn:astran:iam::e45fa598-be4d-4468-9504-90bc8c86d0e9:policy/boundary/UserBoundary
Creating a boundary for administrators
Let’s create our second boundary, which will forbid administrators to create other administrator users. Note that this action will still be possible through the root account.
As previously, create a new policy, which we will name AdminBoundary in the /boundary/ path.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"iam:*",
"ck:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:CreateUser"
],
"Resource": [
"arn:astran:iam::e45fa598-be4d-4468-9504-90bc8c86d0e9:user/*"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:astran:iam::e45fa598-be4d-4468-9504-90bc8c86d0e9:policy/boundary/UserBoundary"
}
}
}
]
}
Creating a first non-root administrator
We’ll then create our first non-root administrator.
In Access control, to to the Users tab.
Click on New user
Enter the new user's email address and select the built-in group astran-admin
Select the boundary boundary/AdminBoundary
Click on the Create button
The user will receive an email to activate the account.
Creating a regular user
Logout and login with the new created user.
You can now create a regular user, following the same step as previously, but selecting the boundary boundary/User
You can try to select another boundary (or no boundary). You will see your request gets rejected du to the boundary we just set.